Lab 2.0 - Reading Assembly Code Part 1

All code in this section is ‘psuedo-code’ created in order to understand the basics of assembly.

1.0 Connection

Exercise
Read the pseudo-code provided and try to explain execution flow.

Use the following code for this section of the lab.

Part 1:

bits 64
default rel

extern ExitProcess
extern WSASocketA
extern connect
extern htons
extern inet_addr
extern closesocket
extern WSACleanup

Part 2:

section .data
    url db "www.malienist.medium.com", 0
    port dw 80

Part 3:

section .text
global main

main:
    push    rbp
    mov     rbp, rsp
    sub     rsp, 32

Part 4:

xor     rax, rax
mov     rcx, rax
call    WSASocketA

Part 5:

push    2
push    1
push    6
lea     rdx, [url]
push    rdx
mov     rdx, rax
call    inet_addr
push    ax
push    dx
push    word [port]
push    rdx
call    htons
push    ax
push    dx
push    16
push    rsp
mov     rdx, rax
call    connect

Part 6:

    push    rdx
    call    closesocket
    call    WSACleanup

Part 7:

    xor     rax, rax
    call    ExitProcess

1.1 Encryption

Exercise
Read the pseudo-code provided and try to explain execution flow.

Use the following code for this section of the lab.

Part 1:

bits 64
default rel

section .data
    key db "SecretKey", 0
    plaintext db "What part of JMP RSP dont you understand?", 0
    ciphertext db 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ; placeholder for ciphertext

Part 2:

section .text
global main
main:
    push    rbp
    mov     rbp, rsp
    sub     rsp, 32

    ; Load the key into the key schedule
    mov     rsi, key
    mov     rdi, 256
    call    key_schedule

    ; Encrypt the plaintext using RC4
    mov     rsi, plaintext
    mov     rdi, ciphertext
    call    rc4_encrypt

    ; Print the ciphertext
    lea     rdx, [ciphertext]
    call    print_string

    ; Exit the program
    xor     rax, rax
    call    ExitProcess

Part 3:

; RC4 key scheduling algorithm
; Inputs:
;   rsi - pointer to the key
;   rdi - length of the key
; Modifies:
;   rcx, rdx - key schedule array
key_schedule:
    push    r12
    push    r13
    push    rbx

    xor     ecx, ecx
    mov     edx, 256
    mov     ebx, 0

    ; Initialize key schedule array
init_key_schedule:
    mov     byte [rcx], cl
    inc     rcx
    loop    init_key_schedule

    ; Key-scheduling algorithm
    mov     cl, byte [rsi]
    xor     bl, byte [rcx-1]
    xchg    byte [rcx+rbx], byte [rcx]
    xchg    byte [rcx], bl
    inc     rcx
    loop    key_schedule

    pop     rbx
    pop     r13
    pop     r12
    ret

Part 4:

; RC4 encryption algorithm
; Inputs:
;   rsi - pointer to the plaintext
;   rdi - pointer to the ciphertext
; Modifies:
;   rcx, rdx - key schedule array
rc4_encrypt:
    push    r12
    push    r13
    push    rbx

    xor     ecx, ecx
    xor     edx, edx

    ; Initialize variables
    mov     r12, rsi
    mov     r13, rdi
    ; Encryption loop
encrypt_loop:
    mov     cl, byte [r12]
    mov     dl, byte [rcx]
    add     ecx, edx
    xchg    byte [rcx+ecx], byte [rcx]
    xchg    byte [rcx], al
    xor     byte [r13], al

    inc     r12
    inc     r13
    loop    encrypt_loop

    pop     rbx
    pop     r13
    pop     r12
    ret
; Print a null-terminated string
; Input:
;   rdx - pointer to the string
print_string:
    push    rdi
    mov     rdi, rdx
    xor     eax, eax
    cld
print_loop:

1.3 Delete File

Read the pseudo-code provided and try to explain execution flow.

Use the following code for this section of the lab.

section .data
    filePath    db 'C:\path\to\file.txt', 0

section .text
    global _start

_start:
    ; Convert the file path to wide-character format
    lea     rdi, [filePath]
    call    ConvertToWideChar

    ; Call DeleteFileW to delete the file
    mov     rdi, rax     ; Pass the converted wide-character file path
    call    DeleteFileW

    ; Check the return value of DeleteFileW
    cmp     rax, 0
    je      error

    ; File deleted successfully, do further processing here

    ; Exit the program
    xor     eax, eax     ; Return 0 as the exit code
    ret

error:
    ; An error occurred, exit with error code
    mov     eax, 1       ; Return 1 as the exit code
    ret

; Function to convert a null-terminated ASCII string to wide-character format
; Returns the address of the converted string
ConvertToWideChar:
    push    rbp
    mov     rbp, rsp

    ; Get the length of the input string
    xor     rcx, rcx     ; Counter
    mov     rsi, rdi     ; Source pointer
    mov     dl, byte [rsi]
    inc     rcx
    inc     rsi
    cmp     dl, 0
    jne     .loop

    ; Allocate memory for the wide-character string
    lea     rdi, [rcx * 2 + 2]   ; Length * 2 + 2 (for null termination)
    call    malloc
    mov     rdi, rax     ; Destination pointer
    xor     rdx, rdx     ; Counter

    ; Convert each character to wide-character format
.loop:
    movzx   eax, byte [rsi]
    mov     word [rdi + rdx], ax
    inc     rdx
    inc     rdx
    inc     rsi
    cmp     al, 0
    jne     .loop

    ; Null-terminate the wide-character string
    mov     word [rdi + rdx], 0

    pop     rbp
    ret

section .text
    extern DeleteFileW, malloc

1.4 Start Process

Read the pseudo-code provided and try to explain execution flow.

Use the following code for this section of the lab.

ection .data
    commandLine db "C:\path\to\program.exe", 0
    startupInfo db 0
    processInfo db 0

section .text
global main

extern ExitProcess
extern GetStartupInfoA
extern CreateProcessA

main:
    ; Get the startup information
    lea rdx, [startupInfo]
    call GetStartupInfoA

    ; Start the process
    xor rax, rax                ; Set rax to 0
    xor r8, r8                  ; Set r8 to 0
    xor r9, r9                  ; Set r9 to 0
    xor r10, r10                ; Set r10 to 0
    xor r11, r11                ; Set r11 to 0
    lea rcx, [commandLine]      ; Address of the command line string
    lea rdi, [processInfo]      ; Address of the process information
    call CreateProcessA

    ; Check if the process creation was successful
    test al, al                 ; Check the return value in al
    jnz error                   ; Jump to error if an error occurred

    ; Process creation successful
    xor eax, eax                ; Set the exit status to 0 (success)
    call ExitProcess

error:
    ; Handle process creation error
    ; You can implement error handling code here

Please make sure that this lab is completed before you start the rest of the workshop. If there are any issues, please raise them to the instructor.